What feeling did not find good material, write it yourself.
Posted several useful links
Strongly recommended first!
https: //carpe-dm***.com/category/networking/viptela/
https://www.grandmetric.com/2018/02/19/cisco-viptela-sd-wan-components-connectivity-viptela-part-1/
https://www.grandmetric.com/blog/2018/03/19/cisco-viptela-sd-wan-components-connectivity-part-2/
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKRST-2558.pdf
https://www.cisco.com/c/dam/assets/global/CN/solutions/industry/segment_sol/enterprise/programs/2018/cin_fy19q2_en_workshop_ppt.pdf
Tell us about the various terms. SD-WAN and the most important principle is the data plane and control management level separated off.
Including management level is vManage, control plane is vSmart, the data level is vEdge or cEdge.
vManage role:
Translation is
- day0 day1 day2 operation and maintenance are required vManage
- Multi-host (we can understand the function, or the need to provide services throughout the sdwan is divided logic on demand)
- policy and template (both very important, will speak later)
- Troubleshooting, monitoring
- upgrade
- Role base access control
- You can try rest or netconf
vSmart的作用
就是control plane,我们可以理解为主要的作用就是传播路由协议。我在别的视频里有的大神解析过,这有点想iBGP,而vSmart有点像BGP的路由反射器。
vBond的作用
又叫耦合层,实际上就是存储了各个vEdge的信息,保证他们的证书和序列号是valid的。同时因为园区网现在有大量的NAT,vBond也会保存这些信息。高度概括:就是负责所有device(controller,router)的onboarding
这个链接里这个哥们总结的非常好https://carpe-dm*.com/2018/10/13/sd-wan-deep-dive-vbond/
The vBond holds the information needed to authenticate the vEdges/cEdges that wish to join the fabric, as well as the the list of vManage and vSmart controllers to pass along to those routers.**
SD-WAN 术语
Site-ID:鉴别source location,实际上类似OTV里面的site id,就如同一个数据中西的site id肯定是一样的
System IP:类似于普通路由协议中的loopback interface
Organization Name:在证书认证过程中的时候用的
OMP: Overlay Management Plane
- 基于TCP的协议
- 这是在vEdge/cEdege 与vSmart之间运行的,是个DTLS的隧道,Edge之间因为只有数据层面,是没有这个OMP存在的
- 利用address family来宣告TLOC(实际意义上的下一条)
- 分发IPSec的encryption key,和data app-aware policies
-
补一份OMP的细节,可以看到非常多种类的路由
TLOCs Transport Locators
TLOC是经由vSmart通过类似路由反射器的方式传递给各个vEdge的,TLOCs里面比较重要的几个元素:System IP,color,和ipsec加密各种参数
TLOC的color
这是个非常有趣的概念,重点在前两个:
- TLOC interface on edge device (实际上就是system ip)
- underlay network attachment (底层的网络使用的是什么介质)
下面这个图就解释的很形象了
以下这幅图比较重要
OMP的更新:
- 可达性 IP subnets和TLOC,bgp ospf connected static等路由
- IPSec的秘钥
- 策略(这个之后详细解释)
控制层面用DTLS隧道保护,数据层面IPSec保护。数据层面的ipsec tunnel用bfd监控。
SD-WAN的多宿主环境是通过下面这种方式实现的,其中LBL是label的意思。。。查了10分钟。。。这个图会在应用场景再做解释
SD-WAN数据加密方式,前面说过,这是OMP传输的一种属性,有趣的是使用的方式。加密仍然是使用对称秘钥,不过这个秘钥是peer生成的。每一对秘钥,是基于底层传输层来生成的。
三种证书的部署方式
我先跳过template等配置,讲OMP的概念
可以看到vSmart其实就是个路由反射器,只不过传输的路由多种多样,但也和IOS里面的有点类似,address family 各种路由协议的路由。
传播的信息一个分四种
- vRoute 就是背后的传统的路由协议宣告的网段
- TLOC understand this as the next hop, but there are a number of key aspects of IPSec information
- Services
- Policies
OMP transmission route is also a routing sequence
At that time we will see the configuration examples vEdge based on each "virtual private network" configuration. 
This figure "virtual private network" 0 very interesting, cut down a glance.
Plicies strategy
we see in detail the concept of policy
sub-four policy
data level
control plane
app-aware policy (judged by applicationSLA)
VPN policy Membership (fabric routing + segment multihomed)
Part of the control strategy. 
One of the most common scenario is the hub-spoke or spoke-spoke connections. Some traffic to go through headquarters inspection firewall filtering, some visitors may flow directly through the internet directly spoke spoke out
Data Strategy
Simply understood as routing changes, such as those based QoS allows voice traffic through MPLS, unimportant traffic through internet
Application-aware policy
The next one I will intercept vSmart vManage vEdge steps on how to install.